> Huawei has completely opened its source code and hardware to several governments, including UK, Canada and Germany, for security testing. Their findings are much more informative and objective.

What does this even mean? If I give a batch of governments some of my super secret text files and pinky promise that's what's in the hardware I'm giving them, they should believe me?

The US can be trusted to advance its own interests. So can China. Everyone else had best evaluate their threat vectors and find out where their interests conflict with bigger and stronger interests.

Your comment history might have predicted that you'd comment on this topic. You don't have many other interests.

To add to this, what is described is called Shared Source, not Open Source or Libre Software. Microsoft does shared source with numerous governments and universities, but your placing complete trust in the vendor that the code they show you is what is in their distributed binaries, esp. with how many compilers output different binaries when recompiled with the same code.

The only way to even start considering any of the current telecom vendors (including Huawei, NSN, etc) as not malicious is to have them offer their code under a libre license that bars tivoization, otherwise there is no guarantee that you can load the firmware they gave you the source to onto the LTE base stations sold your company.

The testing centers have more sophisticated methods to address your concern. They procure Huawei equipment from various vendors and check if they have the same hardware and software. In fact, the recent report from UK did find minor shortcomings related to binary mismatch in huawei products.

My point is not testing centers can provide 100% guarantee; such guarantee does not exist in the security field. However, shared hardware and rigorous testing provide far better security than blind trust and paranoia.

Also, what's wrong with being interested in sino-US technological relationship?

I'd be interested in further details about the testing. If any manufacturer actively wants to backdoor their hardware I'm skeptical that anything but an extremely expensive teardown of an infected device would find it.

It is simply incorrect to imply that reading vendor provided source can usefully decrease the possibility of a targeted attack. Comparing (hardware provided?) software checksums is not a real improvement. Juxtaposed with your "interest" in the topic, such an argument naturally arouses suspicion (sorry).

There is obviously nothing "wrong" with being interested in this fascinating clash of powerful interests, the amount of interest each discussion gets shows you are not alone.

So I'm not just hammering at what you've said, I'll make my own statement: There's absolutely nothing you can do to defend against a motivated attacker providing you with complex computer hardware (let's say anything that has software/firmware). Corollary: It's a fool's game to use hardware from those whose interests conflict with your own.

China and the US have a massive conflict of their interests. Each should not use hardware provided by the other. The risk for each is real and unavoidable.

Hardware testing is much more than firmware checksum comparison. Once you have the blueprint, you can physically compare it against samples using various methods such as x-ray, acoustic and electric profiling to detect any differences. Furthermore, hardware is generally retained for a long time and can be checked with future anti-tampering technologies.

These measures does not offer perfect security. It simply makes the cost of hacking and chance of being caught very high, even for state actors. We could achieve fairly strong security at an affordable cost for most civilian uses. At least, tested Huawei hardware may be a good alternative to untested hardware from another vendor (which is probably manufactured in China too) at an inflated price.

Of course, if you are still concerned, why not take a course on microprocessor and build your own CPU? ;)

It looks like you're moving the verification goalposts away from what is actually running on the hardware and simultaneously walking this back from government to civilian uses. These are completely different discussions (though I might add that governments rely heavily on the private sector, so some pressure there is expected).

Another completely different line of discussion is whether I personally am concerned at all (I'm not), and what I should do about it (nothing, but governments certainly should build their own CPU).

> We could achieve fairly strong security at an affordable cost

No. We cannot achieve strong security in a device that comes with software. You also cannot (at the time of this writing) prove that the actual hardware you personally are running is trustworthy without spending enough that the "affordable cost" becomes a moot point.

A wide swath of civilian uses can probably come out on top of the cost/benefit analysis just because their interests don't get in the way of governmental conflicts (or they can make enough money in the meantime). It's only from the perspective of a government that this conversation makes any sense at all.

There are many academiclly verified attack vectors that can not be verified to exist with any known external test even if one had the layout of the billions of transistors. Bit flips through sequential activation of memory addresses for example.

Large international dealings are never about 'truth' - they are about the balance of a web of geopolitical issues.

Also, this is not paranoia, it's a geostrategic fight based on the reality that a) China and US/West are doing a lot to actively spy on one another b) they're in a trade war.

Also China does not have an open market for US/Western products and I don't see any reason why the same rules applied by China to the West should not apply to Chinese companies coming to the West. That would be closer to 'fair free trade'.

But yes - if the hardware and software are both open for inspection - that is a kind of 'truth' as you say.

and companies should then be able to decide for themselves.

Question: is it true though that both hardware and software are in fact fully open? How do they maintain their IP in this case?

Uh, hardware being open means nothing. Your supplier can swap your standard chip for a spy chip and open hardware will not be able to help you catch that.

This isn't really about spying. The reality is that Huawei's equipment is the best in the world for the money. It's not even close. Given a free market (remember that?) there's really no doubt that Huawei will go on to completely dominate this market over the next decade. It's already the largest telecom equipment maker in the world [1] and its size only makes its products and architects more and more competitive with each day. It's a virtuous cycle at work that nobody can deny anymore. The numbers don't lie: what you have here is a technologically sophisticated market where the West cannot compete with China at all. This is supposed to be impossible!

Now there is a legitimate national security concern about having the world's telecom equipment manufactured by a single company. But there's only so much can do under existing trade treaties. It's also really not a good look for the US and the West to be seen actively trying to disrupt the free market at work. And so we get this concocted story about spying. It's concocted because nobody, despite spending millions and millions of dollars investigating Huawei and studying its boxes, has ever shown the company participating in anything like espionage. Most people can see through this blatant protectionist hypocrisy [2]. Ironically all the security research on Huawei has only served to make their products much more secure than the competition.

[1] https://www.caixinglobal.com/2018-03-19/huawei-now-worlds-la...

[2] https://www.theregister.co.uk/2018/01/11/comment_huawei_usa/

" Given a free market (remember that?)"

Huawei is a state-backed organization working from a closed, controlled economy where not even information, let alone products, services and capital flow freely.

So if the cost of having to inspect every single piece of Huawei gear, plus check and load the software still keeps them 'competitive' then it might be worth it to outsiders, but probably not.

Given that it's commodity gear, perhaps someone will come along, say from Taiwan ... and produce the same thing at competitive costs, wherein security is not a factor and then, yes, that entity would be poised to dominate on price.

You reasoning misses an important aspect: the incentives.

Does China government have the incentives to take the advantages when it has the opportunity?

Does Huawei have the incentives/disincentives to/not to respond to the demands of the government?

Huawei does have disincentive not to respond to the demands of Chinese governments because its hardware is opened and checked by other governments. Installing a backdoor has a good chance to be caught.

You probably underestimate the mindset difference between the American's skepticism toward the government (as this thread shows) and how the Chinese tend to see their government as a parental role. When a U.S company refuses to be complicit in unjustified spying, you would see the public opinions inclined to praise the brave and blame on the government. On the other hand, it is much tougher for a Chinese company to be disobedient to the authority, especially when it comes to kinds of stuff like national security. The best case is you are not regarded as a betrayal and getting boycotting aggressively by the patriotic zealots who are coincidentally the political correctness most of the time. Let alone the Chinese government has much more 'versatile' means to make you suffer without being accountable by the public opinion/opposition parties/media.